> Vadim Pushkin wrote:
>> Thanks Chris;
>>
>> Based on your excellent example:
>>
>>> acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
>>
>> Would I still be required to write IP addresses with a netmask? Or
>> can I mix them, which is my preference.
>
> If I remember correctly, the dst acl prefers a netmask these days. It
> used to assume that any IP address ending with dot zero octets meant it
> should mask the dot zeros (i.e. 127.1.0.0 was equivalent to
> 127.1.0.0/16), but I think that masking is required or assumed to be /32.
No, that apparently was an experiment that had terrible results and has
bee dropped.
The current behavior with dst and src is:
- a.b.c.d-e.f.g.h/m -> range from start of a.b.c.d/m to end of e.f.g.h/m
ie 10.0.0.0-11.0.0.0/16 is 10.0.0.0->11.0.255.255
- a.b.c.d-e.f.g -> use a range with netmask of /32 as above
- a.b.c.d/m -> range with netmask /m,
logs WARNING if mask removes any bits off a.b.c.d
- a.b.c.d -> use as a.b.c.d/32
- fqdn.domain -> resolve all IPA and use each /32
(NP: as resolved at configure time, DNS updates are ignored)
Amos
